目录

OSS-bucket_policy_readable

OSS-object_public_access

OSS-bucket_object_traversal

OSS-Special Bucket Policy

OSS-unrestricted_file_upload

OSS-object_acl_writable

ECS-SSRF

---

云攻防场景下对云厂商服务的利用大同小异，下面以阿里云为例

其他如腾讯云、华为云、谷歌云、AWS、Azure不一一列举

OSS-bucket_policy_readable

桶策略可读

?policy可以看到存储桶策略

成功读到flag

OSS-object_public_access

对象公共访问

resource "alicloud_oss_bucket_object" "huoxian_terraformgoat_object" {bucket     = alicloud_oss_bucket.huoxian_terraformgoat_bucket.bucketacl        = "public-read"key        = "flag"source     = "./flag"depends_on = [alicloud_oss_bucket.huoxian_terraformgoat_bucket]
}

访问./flag

OSS-bucket_object_traversal

存储桶对象遍历

{"Effect": "Allow","Action": ["oss:ListObjects","oss:GetObject"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*"],"Condition": {"StringLike": {"oss:Prefix": ["*"]}}}

OSS-Special Bucket Policy

特殊存储桶策略

{"Effect": "Allow","Action": ["oss:ListObjects","oss:GetObject"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*"],"Condition": {"StringEquals": {"acs:UserAgent": ["HxSecurityLab"]}}}

默认无权限访问

加上UA头

User-Agent: HxSecurityLab

OSS-unrestricted_file_upload

不受限制的文件上传

resource "alicloud_oss_bucket_object" "flag" {bucket       = alicloud_oss_bucket.Put_bucket_acl.bucketkey          = "hx.png"source       = "./dist/hx.png"content_type = "inline"acl          = "public-read-write"
}

PUT覆盖原有文件

PUT新建文件

OSS-object_acl_writable

对象ACL可写

{"Version": "1","Statement": [{"Effect": "Allow","Action": ["oss:GetObjectAcl","oss:PutObjectAcl"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*/*"]}]
}

直接访问flag.txt，403

查看acl

通过PUT方法将Object的ACL改为public-read

PUT /flag.txt?acl HTTP/1.1
Host: hx-cloud-security-2rr50.oss-cn-beijing.aliyuncs.com
x-oss-object-acl: public-read

看到成功修改

成功读到flag

ECS-SSRF

用户可以通过 SSRF 漏洞获取到 ECS 上的元数据、用户数据等信息。

读取元数据

http://100.100.100.200/latest/meta-data/

100.100.100.200 是一个特殊的保留 IP 地址，用于阿里云的元数据服务（Metadata Service）。它允许云服务器实例从内部网络获取自身的元数据，而无需访问外网。

读取用户数据

http://100.100.100.200/latest/user-data/

User Data：用户在创建 ECS 时传入的脚本或配置

读flag

file:///flag69152201.txt